Cybersecurity experts hailed the K-12 Cybersecurity Act this week after US President Joe Biden signed it into law on October 8, officially kicking off efforts by CISA to examine the cybersecurity risks associated with K-12 educational institutions.
The law, which became one of the rare bills to pass in both the House and Senate, instructs CISA to examine the threats facing the nation's schools and then provide recommendations as well as toolkits to educators on cybersecurity hygiene.
"This law highlights the significance of protecting the sensitive information maintained by schools across the country, and my Administration looks forward to providing important tools and guidance to help secure our school's information systems," Biden said while signing the law.
"The global pandemic has impacted an entire generation of students and educators and underscores the importance of safeguarding their sensitive information, as well as for all Americans. This law is an important step forward to meeting the continuing threat posed by criminals, malicious actors, and adversaries in cyberspace. My Administration is marshalling a whole-of-nation effort to confront cyber threats."
The bill was originally introduced by US Senator Gary Peters and co-sponsored by Senators Jacky Rosen, Rick Scott and Bill Cassidy in 2019.
Rosen said schools in Nevada and across the country are increasingly becoming targets for ransomware and other cyberattacks, risking the personal information of students, faculty, and staff.
"I'm proud to see this bipartisan legislation that I co-sponsored signed into law, and I know that the K-12 Cybersecurity Act will help school systems like the Clark County School District prevent debilitating ransomware attacks and have the tools and resources to combat cyber threats," Rosen said.
Experts said that while the bill seems relatively simple, it will be a major help to school districts that are often overburdened and lack the technical staff to manage a widening array of cybersecurity threats.
Michael Webb, CTO at education security platform Identity Automation, said the law will be a catalyst for the changes that have already begun as a result of districts being threatened daily by malicious actors.
Any amount of help is welcome to districts struggling to upgrade their cybersecurity strategy, Webb added.
"The law will be effective at two things: raising awareness of the need to protect students online and offering guidance on how to do so. Making it happen? That's the hard part. Most districts lack the capability of managing digital identities, which is the cornerstone of a strong cybersecurity posture today," Webb said.
"The acknowledgement of tools is an interesting one. What those tools are and how effective they will be is unknown. For example, you can use a free online tool today to find out whether your password has been exposed on the dark web, but how quickly do you take steps to find out, and how quickly do you change your password? It's going to be almost a year before districts have something tangible to help them improve their cybersecurity approach."
Others noted that the initiatives would help funding-strapped schools that are unable to hire cybersecurity teams.
Untangle senior vice president Heather Paunet said few educational institutions have a deep enough understanding of how to go about protecting themselves and having official guidelines and laws such as this one will help strengthen security as a priority in a standardized way across the country.
She noted that cyberattackers are demanding higher sums, and some schools have been forced to close while dealing with the attack.
But Netenrich threat hunter John Bambenek explained that many local government units, especially schools, simply don't have money to spare.
"While studying the risks and creating free resources and guides is a good first step, the reality is that smaller and poorer districts won't be able to implement much of what is in the guide CISA will create, assuming they have any staff that can read and understand it in the first place," Bambenek said.
"This law is a good first step, but it cannot, and must not, be the last step."